Method for validation of a graphically based executable control specification using model extraction

ABSTRACT

A system and method to hierarchically validate graphically based executable logic control specifications. The method may include performing an open loop validation of a feature of a plurality of features in the control specification, performing an open loop validation of the functional hierarchy of an application of a plurality of applications in the graphically based logic control specification in response to completing successful validation of the plurality of features, performing a closed loop validation an ECU model of a plurality of ECUs modeled in the graphically based logic control specification in response to completing successful validation of the plurality of applications, and performing a closed loop validation of the plurality of ECUs modeled in response to completing successful validation of the ECU modeled.

RELATED APPLICATIONS

This application is a continuation-in-part of U.S. patent application Ser. No. 13/448,304, entitled “Hierarchical Accumulated Validation System and Method,” filed on Apr. 16, 2012, which is assigned to the assignee hereof and hereby expressly incorporated by reference herein.

BACKGROUND

1. Field

The present disclosure relates generally to improvements in validating control specifications and more particularly pertains to a system and method to generate test cases to hierarchically validate graphically based executable logic control specifications using model extraction.

2. Description of the Related Art

As demand grows for new in-vehicle features, a large number of electronic control modules are being introduced in the automobile to increase passenger's comfort, safety, entertainment and overall performance. The performance parameters of features such as electronic power steering, engine management systems, anti-lock braking systems, airbag systems, transmission systems, and navigation and entertainment systems are monitored and controlled by electronic control units (ECUs). Vehicle level ECU design and testing for small hardware or software changes is expensive and computationally intensive. Historically, module level tests have proved insufficient and are unable to be used to validate an entire ECU. Thus, a more efficient and inclusive system and method of validating designs to comply with a standard is desired.

SUMMARY

The above disclosed needs are successfully met via the disclosed system and method. The present disclosure is generally directed to a system and method to hierarchically validate a graphically based executable logic control specification designed to comply with a standard, such as an ISO standard. Specifically, the present disclosure is directed to a system and method to generate test cases to hierarchically validate graphically based executable logic control specifications such as via using model extraction.

In various exemplary embodiments, a computer-based method, a system, and an article of manufacture including a non-transitory, tangible computer readable storage medium having instructions stored thereon is disclosed. This method may include performing an open loop validation of a feature of a plurality of features in the control specification, performing an open loop validation of the functional hierarchy of an application of a plurality of applications in the graphically based logic control specification in response to completing successful validation of the plurality of features, performing a closed loop validation an ECU model of a plurality of ECUs modeled in the graphically based logic control specification in response to completing successful validation of the plurality of applications, and performing a closed loop validation of the plurality of ECUs modeled in response to completing successful validation of the ECU modeled.

This computer-based method, according to various embodiments, may also include releasing the validated control specification. The computer-based method may include generating a validation test plan. External editing of the control specification model may be ceased during validation. The results may be certified and the process may be documented.

According to various embodiments, the computer-based method may include validating the control specification to achieve best possible modified condition/decision coverage. A graphically based model slicing tool may be utilized to extract targeted models. These targeted models may be selected based on functionality and/or a functional Requirement. The inputs and/or outputs of the models may be retained and/or maintained post extraction.

According to various embodiments, an entire electronic control unit such as of a vehicle may be validated using the methods described herein. For instance, a unique feature test case may be developed to validate each unique functional requirement of the graphically based logic control specification. A hierarchical validation process may flow from module level to feature level to application level.

Based on computational constraints the functional hierarchies may be subdivided if desired. Moreover, to assist with efficiency, overlapping test case validation provides substantially exhaustive validation coverage and minimizes computational constraints.

In general, according to various embodiments, the validation stats at the end of the control specification and validates to the beginning of the control specification. The validation may be to an International Organization for Standardization (ISO) specification, such as ISO 26262. Elements of the graphically based logic control specification may be rendered on a user interface.

BRIEF DESCRIPTION OF THE DRAWINGS

Other systems, methods, features, and advantages of the present disclosure will be or will become apparent to one with skill in the art upon examination of the following figures and detailed description. It is intended that all such additional systems, methods, features, and advantages be included within this description, be within the scope of the present disclosure, and be protected by the accompanying claims. Component parts shown in the drawings are necessarily to scale, and may be exaggerated to better illustrate the features of the present disclosure. In the drawings, like reference numerals designate like parts throughout the different views, wherein:

FIGS. 1A and 1B depict an exemplary embodiment of a validated ECU in use in a vehicle;

FIGS. 2A and 2B depict exemplary high level graphically based executable logic control specification functional hierarchies;

FIGS. 3A-3C depicts an exemplary process flow for validating one or more functional hierarchies;

FIGS. 4A and 4B depict an exemplary process flow for validating one or more functional hierarchies;

FIG. 5 depicts an exemplary process flow for running test cases configured for functional checking;

FIG. 6 depicts an exemplary process flow for aggregating validation information;

FIG. 7 depicts an exemplary process flow for improved confidence in coverage;

FIG. 8 depicts exemplary .mdl data structure representations;

FIG. 9 depicts an exemplary high level graphically based executable logic control specification functional hierarchy;

FIG. 10 depicts an exemplary work flow for a hierarchical accumulative validation;

FIG. 11 depicts an exemplary work flow for an open loop low level validation within a hierarchical accumulative validation;

FIG. 12 depicts an exemplary work flow for an open loop high level validation within a hierarchical accumulative validation;

FIG. 13 depicts an exemplary work flow for an open loop functional hierarchies (FH) validation within a hierarchical accumulative validation;

FIG. 14 depicts an exemplary work flow for a closed loop validation of a single ECU within a hierarchical accumulative validation; and

FIG. 15 depicts an exemplary work flow for a closed loop validation of multiple ECUs within a hierarchical accumulative validation.

DETAILED DESCRIPTION

In the automobile industry, an electronic control unit (ECU) is an embedded electronic device, such as a digital computer, that read signals coming from sensors placed at various parts/locations and in different components of the automobile (See FIG. 1A), Depending on this signal data, the ECU controls various units (e.g., engine) and automated operations within the automobile and also keeps a check on the performance of some key components used in the automobile.

An ECU generally comprises hardware and software (firmware). The hardware may comprise various electronic components on a printed circuit board (PCB). These components may further comprise a microcontroller chip along with an EPROM (erasable programmable read only memory) or a flash memory chip. The software (firmware) may be a set of lower-level codes that are processed by the microcontroller.

Many times, in the industry, an ECU (Electronic Control Unit or Engine Control Unit) may be referred to as an ECM (Engine Control Module). The ECM, also known as EMS (Engine Management System), is an ECU in an internal combustion engine that controls various engine functions such as fuel injection, ignition timing and idle speed control system. This control may be based on data (like engine coolant temperature, air flow, crank position, etc.) received from various sensors (See FIG. 1B). The ECM may also “learn about” the engine as the automobile is driven. The “learning” is actually a process that the ECU uses to track the tolerance changes of the sensors and/or the actuators on the engine. The ECM stores these “learned” values in battery backed-up RAM so that it doesn't have to start from scratch the next time the engine is turned over. In the aeronautical applications, these systems (ECM equivalents) are popularly called “FADECs” (Full Authority Digital Engine Control). Referring to FIGS. 1A and 1B, an exemplary vehicle is shown including an ECU 200. As depicted in FIG. 1B, the ECU 200 may be configured to receive input from sensors and to receive input directly from a user, e.g., a driver of the vehicle.

The creation of a complete ECU 200 is an intensive process that requires rigorous, planning, testing, and verification. Often times, the design of the ECU 200 or parts of the ECU 200 may be aided through use of a Visual Programming Language (VPL), Model Based Development (MBD) and/or graphically based executable logic. In computing, a visual programming language is any programming language that lets users create programs by manipulating program elements graphically rather than by specifying them textually. VPL allows programming with visual expressions and/or spatial arrangements of text and graphic symbols used as elements of syntax or secondary notation. For example, many VPLs (known as dataflow or diagrammatic programming) are based on the idea of “boxes and arrows,” where boxes or other screen objects are treated as entities, connected by arrows, lines or arcs which represent relations or relationships.

VPLs may be further classified, according to the type and extent of visual expressions used, into icon-based languages, form-based languages, and diagram languages. Visual programming environments provide graphical or iconic elements which can be manipulated by users in an interactive way according to some specific spatial grammar for program construction.

The VPL based design and operation of the ECU 200 may be intended to conform to a specification. Verification and validation may be independent procedures that are used together for checking that a product, service, or system, such as the complete ECU 200 or those portions of the ECU 200, meet requirements and specifications and fulfill its intended purpose. In some cases, these are components of a quality management system, such as ISO 9000. In various embodiments, verification and/or validation may be performed by a third party. Verification may check that a product, service, or system (or portion thereof, or set thereof) meet a set of initial design requirements, specifications, and regulations. In the development phase, verification procedures involve performing special tests to model or simulate a portion, or the entirety, of a product, service or system, then performing a review or analysis of the modeling results. In the post-development phase, verification procedures involve regularly repeating tests devised specifically to ensure that the product, service, or system continues to meet the initial design requirements, specifications, and regulations as time progresses. It is a process that is used to evaluate whether a product, service, or system complies with regulations, specifications, or conditions imposed at the start of a development phase. Verification can be in development, scale-up, or production. This is often an internal process.

Validation may be used to check that development and verification procedures for a product, service, or system (or portion thereof, or set thereof), such as the complete ECU 200 or that portions of the ECU 200, result in a product, service, or system (or portion thereof, or set thereof) that meets initial requirements, specifications, and regulations. For a new development flow or verification flow, validation procedures may involve modeling flow and/or using simulations to predict faults or gaps that might lead to invalid or incomplete verification or development of a product, service, or system (or portion thereof, or set thereof). While validation of separate modules or the complete specification can be accomplished using the systems and methods described herein, preferably, validation of each function or sub-function within a specification is performed.

Hierarchical Accumulative Validation (HAV) may utilize model based development techniques to systematically validate a specification based on the hierarchical structure. A set of validation requirements, specifications, and regulations may then be used as a basis for qualifying a development flow or verification flow for a product, service, or system (or portion thereof, or set thereof). Additional validation procedures may also include those that are designed specifically to ensure that modifications made to an existing qualified development flow or verification flow will have the effect of producing a product, service, or system (or portion thereof, or set thereof) that meets the initial design requirements, specifications, and regulations; these validations help to keep the flow qualified. It is a process of establishing evidence that provides a high degree of assurance that a product, service, or system accomplishes its intended requirements. This often involves acceptance of fitness for purpose with end users and other product stakeholders. Written requirements for verification and/or validation may be created as well as formal procedures or protocols for determining compliance in accordance with this disclosure.

Extracting targeted models, such as of each function or sub-function within a specification, allows designers to validate control specifications early in the design cycle. This improves control specification quality and reduces overall development time.

For instance, designers may initially determine models for validation of functions or sub-functions within a control specification. The models can be selected based on functionality. For instance, these models may be based on a specific function (such as low or high level) or cross-function (such as following calculation flow). This functionality may be Module, Feature 85 and/or Application level 100.

In response to models being identified and/or selected, required inputs and outputs (I/O) are determined. The selection may be via selection of a graphical representation of the function. This can be accomplished using a software tool.

Selected models are then extracted from the parent model, Required I/Os and signal paths are maintained. The extracted models are then prepared for execution. For instance this may involve adding I/O blocks to the model, and the like. In response to extracted models being prepared, the extracted models are “harnessed” for execution. Using this methodology, designers can validate targeted models within a control specification that are equivalent to the original control specification. In the aggregate, the entire control specification may be validated.

Using this modeling technique, designers can choose to validate functions or sub-functions within a control specification that previously could not be separately validated. For instance, designers can select targeted models, extract the models, and prepare the models using a software tool (automated). These targeted and/or selected models can then be executed and validated against functional requirements. If issues are found, the parent control specification can be updated, models extracted again, and tested. This methodology results in improved software quality and reduced development time.

Verification that the ECU 200 design conforms in every possible permutation to the specification can be very difficult if not impossible and tax even the most advanced computing system. In general, in various exemplary embodiments, the present system validates from the traditional end of the specification to the beginning of the specification. For instance, the present system validates the entire ECU 200 control specification using a functional hierarchy validation of the graphically based executable logic. In various exemplary embodiments and with reference to FIGS. 2A and 213, this hierarchy approach may move from the Module level 50 to the Feature level 75 to the Application level 100 to validate the entire ECU 200 control specification.

The present disclosure outlines a method to generate test cases based on model input characteristics to achieve best possible modified condition/decision coverage (MC/DC). A modified condition/decision coverage may be used to ensure that the test cases are tested adequately. Generally, there are two types of inputs into software/modules: 1) state variables and non-state variables. State variables may include flags (such as On and Off) and modes (such as 0, 1, 2, 3, . . . ). Non-state variables may be calculated, controlled and/or sensor values. In general, state variables within control logic can be broke down into conditions and decisions. A condition may be a leaf-level Boolean expression. Thus, the leaf-level Boolean expression cannot be broken down into a simpler Boolean expression. A decision may be a Boolean expression composed of conditions and zero or more Boolean operators. A decision without a Boolean operator is a condition. For example, combinations of conditions make up a decision, such as if “A” and “B” are “On” the do X.

In general, to satisfy the MC/DC coverage criterion, during testing all of the below must be true at least once 1) Each decision tries every possible outcome; 2) Each condition in a decision takes on every possible outcome; 3) Each entry and exit point is invoked; and 4) Each condition in a decision is shown to independently affect the outcome of the decision. Independence of a condition is shown by proving that only one condition changes at a time.

This method generates unique permutations of all state variables to invoke all conditions and decisions within a software/model to achieve best possible MC/DC. For non-state variables other methods such as random, constant, ramp, sequence, etc. may be used to generate best possible range and look-up-table coverage. If a non-state variable is utilized in a decision, it can be treated as a state variable, such as be assigning discrete values to behave as a state variable. For instance, a variable range may be between 0 and 200. In the logic, if the variable is less than or equal to 50, then a decision is made. Then the variable may be set to one of two states 50 equals On and 51 equals Off.

In this way, the characteristics of the software model inputs may be utilized to generate test cases to achieve best possible MC/DC coverage. This method may be a state and/or non-state based test case generation method. For instance, according to various embodiments, initially the unique permutations of the state variables are determined. For non-state variables other methods such as random, constant, ramp, sequence, etc. may be used to generate best possible range and look-up-table coverage are utilized. Test cases may be quickly generated as prior knowledge of the control model software is not required. Variable states and ranges is what are utilized. Also, this does not overly tax the computational capabilities of the testing equipment. Calculating of the unique permutations of the state variables is much less computationally intense than other techniques. For instance, the algorithm does not need to analyze the target control model/software to determine/find solutions. Using this method, it is possible to achieve best possible MC/DC to comply with ISO standards/recommendations such as ISO 26262.

Models may be extracted from applications 105 (subsystem of the control specification) for test case generation and validation testing. The modules, signals and/or the like are retained and maintained. A computer based slicing tool may assist with efficient extraction of models for verification and/or validation.

Module level 50 may comprise the lowest level within a feature 80. A module 55 may represent actual control logic, that is, the functional requirement of module 55 may generally comprise the logic itself. A combination of multiple modules 55 may result in a higher order functional requirement that may be evaluated. The combination of multiple modules 55 may result in feature 80. Validation performed on the Module level 50 may include low level control specification and low level functional requirements, for instance those related to structure. The Feature level 75 may comprise functions within an application 105. A feature 80 may be conceptualized as a function and/or subassy. For instance, the functional requirement associated with a feature 80 may be controlling the mode of the vehicle. The feature 80 controlling the mode of the vehicle may comprise many modules 55 that each determine and control elements within this function. Feature level 75 may comprise a functional hierarchy such as a module 55 and/or groups of modules 55. Since there is no dual use of modules 55 contemplated (overlap between functional hierarchies) an accumulative hierarchical approach may be performed with confidence of the results achieved. The Feature level 75 may comprise specific mid level functional requirements. The Feature level 75 may comprise a combination of actual control logic to perform a function. The Feature level 75 may comprise multiple layers of modules 55 based on complexity. The Application level 100 may comprise the entire specification. The Application level 100 may comprise functional hierarchies (such as a feature 80 and/or groups of features 80). The Application level 100 may comprise a combination of the features 80 to perform a general function.

In various embodiments, this system utilizes two validation categories: low-level validation and high-level validation. The low-level validation may comprise identification of structural and low-level functional issues (e.g., range violations, block design issues, dead code, etc.). This low-level validation may be configured to achieve module design functional correctness.

High-level validation may validate the feature 80 and the application 105 functional hierarchies to identify and correct control design issues (e.g., incorrect control theory, unintended design error, etc.). This high-level validation may be configured to achieve control design correctness.

In general, there are two validation stages and/or levels, the Feature level 75 and the Application level 100. The Feature level 75 may include structural and functional requirements. The Application level 100 may comprise functional requirements.

With reference to FIG. 3A, an exemplary process flow is depicted. This process flow may be read left to right top to bottom (following the provided arrows). Note, that the calculations depicted in the graphically based executable logic generally flow from left to right. However, the validation of established functional hierarchies is intended, in various exemplary embodiments, to be performed right to left.

Initially, these Application level 100 graphically based executable logic functional hierarchies are identified. Next, the features 80 comprised within the functional hierarchies are identified. An individualized test case to evaluate the structure of each feature 80 may be created (such as, test case 1a.1). Additionally, the functional requirement associated with each feature 80 (such as, functional requirement (FR) 1a.1) is identified. The associated test case (e.g., 1a.1) may include this testing of the functional requirement. Next, an individualized test case to evaluate the structure of the next feature 80 in the hierarchy may be identified (such as, test case 1a.2). Additionally, the functional requirement associated with each feature 80 (such as, functional requirement (FR) 1a.2) is identified. The associated test case (e.g., 1a.2) may include this testing of the functional requirement. This process is repeated until all of the test cases (1a) on the features 80 within the functional hierarchy at this level are generated.

In response to a test case being created (e.g., test case 1a.1), validation testing on that test case may be performed, such as running test case 1a.1. This validation testing may test that the structure is correct and that any associated functional requirement is met. In response to the feature 80 passing this validation testing, the validation test of the next feature 80 in the functional hierarchy is performed. This validation test may be inclusive with respect to the previously completed prior functional requirement validation performed within the functional hierarchy. This inclusive process reduces computational requirements. Also, individualized test cases specific to a discrete structure and/or functional requirement reduces overall computational requirements. Also, in various embodiments, once the module 55 or the feature 80 is validated, only higher level functional requirements need be performed. Stated another way, in various embodiments, subsequent lower level validation at this level is not needed nor performed on the module 55 or the feature 80.

In response to all of the features 80 in the functional hierarchy being validated, a test case of the application 105 may be determined and run on the Application 100 level, similar to the test cases run on the Feature 75 level. At the Application 100 level, the test cases are generally not concerned with structure checking as that has been covered in the validation of the Feature level 75.

Various elements of the present system may be performed on a computer based simulator and/or contained within simulation software, such as Simulink®. Test cases at the Feature level 75 may be designed to achieve coverage targets, such as using an automatic test case generation tool then progress using this hierarchical approach to a modified condition decision coverage (MC/DC) level. Modified condition decision coverage may include substantially every path the logic may take and/or cover all functional requirements of the control specification. In various embodiments, modules are validated in response to MC/DC targets being met and/or functional requirements not being violated. Violations of functional requirements result in addressing and/or correcting the module 55 errors.

Test eases at the Application level 100 may further be designed for specific functional checking (user, sensors such as a LA4 Lambda Meter, etc.). The Feature 75 and the Application 100 levels may be validated when functional requirements are not violated. Functional requirement violations may result in addressing/fixing control design errors. A functional validation for the final feature 80 validation test (e.g., complete feature 80) and the Application level 100 validation may be performed in this stage.

With renewed reference to FIG. 3A, in various embodiments, the Feature level 75 may include low-level and high-level validation of the features 80 (e.g., structural and functional validation of features 80). For instance, MC/DC for the feature 80 functional hierarchy and MC/DC plus functional for a complete feature 80. Functional requirements may be added and/or evaluated as logic is evaluated. Each functional requirement may comprise multiple functional hierarchies. If a functional hierarchy does not include a functional requirement it may be included with another functional hierarchy for validation flow purposes.

With reference to FIG. 3B, a graphical representation of test cases being run on the Application level 100 are depicted. For instance, test cases 3.1-3.5 each depict a unique identified functional hierarchy. A test case may be developed to test and/or validate the functional requirement associated with each functional hierarchy. With reference to FIG. 3C, test cases established in FIG. 3B are executed. For instance, test case 3.1 is performed. If test case 3.1 returns no errors, then test case 3.2 may be run. This is also an example of the process moving right to left, starting at the end of the specification. This test case (3.2) may optionally include the results of test case 3.1 (3.2+3.1). In this way, the body of knowledge is increased without overtaxing the computing system processing each test case.

With reference to FIGS. 4A and 4B, in various embodiments, the feature 80 functional hierarchy may not be defined in the control specification. Based on computational limitations, the user may select a functional hierarchy based on the functional requirements. For instance, in the scenario where a functional hierarchy comprises one module 55 (or a computationally, manageable number of modules 55), the validation may be accomplished in one test run. In the scenario where a functional hierarchy is too large and/or complex, the functional hierarchy should be subdivided into smaller units for validation.

With reference to FIG. 5, in various embodiments, the Application level 100 comprises an Application level 100 functional hierarchy. The Application level 100 functional hierarchy may be validated on all functional hierarchies of the Feature level 75. The test cases for the Application level 100 should include new functional test cases and the feature 80 final functional hierarchy coverage test cases for improved and substantially exhaustive test coverage. Functional requirements may be added and/or evaluated as logic is validated. For instance, each functional requirement may utilize multiple functional hierarchies.

With reference to FIG. 6, in general, as previously stated, the validation system starts at the end and progresses to the Application level 100 functional hierarchy. For each feature 80 within a functional hierarchy, a Feature level 75 validation may be performed. In response to all features 80 within a functional hierarchy being validated, the Application level 100 validation for the functional hierarchy may be performed. This validation may build upon the accumulated validation of the Application level 100 functional hierarchy. In response to functional requirement violations being found within a functional hierarchy, low-level validation may be performed on the modules of interest and/or high-level validation should be re-done on the functional hierarchy. In some scenarios, the feature 80 validation may not follow the Application level 100 functional hierarchy order.

With reference to FIG. 7 in various exemplary embodiments, in response to substantially best possible coverage (MC/DC) being achieved for a module 55, additional unique testing may result in improved exhaustive coverage. This additional testing may be performed to improve the confidence in the accuracy of the validation. This additional testing may be performed in the Feature level 75 and/or the Application level 100 to result in improved exhaustive coverage confidence.

A best possible coverage test case may be generated for each functional hierarchy separately. These test cases may be user defined or may be defined by formal methods. A test case may be generated for the level that has not yet been validated. Previously validated logic may be combined with currently targeted logic, thus validated logic may be accumulated and aggregated over time as more test cases are processed. Also, functional requirements may be added and validated as one progresses up hierarchy levels. Using best possible coverage test cases and test cases generated for specific functional checking, functional requirements may be validated. Stated another way, this system validates the Feature level 75 functional hierarchy first and then moves to the Application level 100 functional hierarchy validation utilizing the same concept. In various embodiments, the system is performed using graphic based logic.

Starting at the end of the specification and validating to the beginning allows a non-validated functional hierarchy to be validated utilizing best possible coverage techniques while maintaining validated functional hierarchies for higher level functional requirement checking. Generating test cases for each functional hierarchy separately reduces processing requirements and gives coverage results for a targeted functional hierarchy. This allows each functional hierarchy to be validated directly (lower level functional requirements) while including all eligible functional requirements (typically higher level functional requirements). This system provides the possibility to achieve a more comprehensive exhaustive testing when formal methods cannot be applied due to computational or mathematical limitations. In response to this process being completed on all of the Application level 100 functional hierarchies, the entire specification is validated to the best possible coverage and exhaustive metrics. This process and system may validate the application logic of the entire ECU 200, such as for ISO compliance. This ISO compliance can be to any suitable ISO specification. This ECU 200 may be used in a vehicle, such as a land vehicle, water craft or aircraft. The ECU 200 may be used in a car, an electric bicycle, motorcycle, scooter, four wheeler, atv, motorhome, train, ship, boat, aircraft, and/or spacecraft.

The graphically based executable logic may be converted to and from text logic at any desired time. For instance, in response to the entire ECU 200 being validated, the logic may be translated from graphically based executable logic to text based logic. Also, in response to the entire ECU 200 being validated, the logic may be passed on to software in the loop and/or hardware in the loop simulation for further verification/validation. Also, various aspects of this disclosure may be combined with rapid prototyping to further test the ECU 200 logic and/or the ECU 200 elements.

With reference to FIG. 10, a process flow/work flow of hierarchical accumulative validation process is depicted. For instance, high level validation may validate at the Application levels 100 and the Feature level 85 to find control design concerns and/or issues, such as incorrect control theory, unintended design error and/or the like. Low level validation may focus on the feature 80 functional hierarchy to find structural and low-level functional concerns and/or issues, such as range violations, block design issues, dead pass, and/or the like.

Initially, according to various embodiments, validation preparation 310 is performed, Subsequently, an open loop simulation/validation 320 may occur. This open loop simulation may comprise simulation of each module, then simulating element at the feature 80 level and then graduating to simulating elements of the Application level 100 functional hierarchy. Subsequent to the open loop simulation, closed loop validation 330 may occur. The closed loop simulation with a SILS (Software-in-the-Loop Simulation) tool may be performed on the Application level 100. Closed loop may be preferred to test functional time series test conditions. It is generally performed on the Application level 100 due to the higher level of functionality at the Application level 100. Preferably, in response to all of the module and feature 80 functional hierarchy level specifications being validated, the Application level 100 functional hierarchies can be validated. While validating higher level functional requirements, lower level specifications which have previously been validated may be included in the testing. Thus, the control specification is validated based on functional hierarchy from specification end to beginning. The initial focus of the system is an exhaustive hierarchy testing with lower level functional checking. After validating lower level functional hierarchies, the Feature level 75 and the Application level 100 validation may occur; however, high level functional checking becomes the focus. Finally, validation certification 340 may occur. This may include certifying results, documenting the certification, and release of the validated control specification for use, implementation and/or further testing.

In accordance with various exemplary embodiments, with renewed reference to FIG. 10, the method described herein comprises generating a validation test plan (345). External editing of the control specification model may be ceased and/or locked out during validation (350). Next, an open loop validation of a feature of a plurality of features in the control specification may be performed (355). In response to the open loop validation of a feature being complete, an open loop validation of the functional hierarchy of an application of a plurality of applications in the graphically based logic control specification may be performed (360). Next, a closed loop validation an ECU model of a plurality of ECUs modeled in the graphically based logic control specification may be performed (365). In response to completing successful validation of the modeled ECU, a closed loop validation of a plurality of ECUs may be performed (370). These results may be certified and each step of the process may be documented (375). According to various embodiments, the validated control specification may be released for use and/or additional testing (380).

According to various embodiments and with reference to FIG. 11, in order to validate a targeted feature 80, the feature 80 is first extracted from the Application level 100 for test case generation and validation testing. Modules, signals, signal structures (such as inputs and outputs) are maintained post extraction. For instance, a computer based model slicing tool may efficiently extract models for validation and/or test case generation. This tool may select I/O blocks and/or signal structures for validation. This may be a click and drag selection, such as via a GUI (graphical user interface) using a selection device, such as a mouse, pointer, touchscreen and/or the like. The modules within a targeted feature 80 subsystem functional hierarchy are identified. These modules may be loaded into a workspace, such as a Matlab workspace. A new model may be created containing the modules listed on a GUI. As previously stated, model hierarchy is maintained throughout. For instance, as previously disclosed (see FIG. 2B), the extracted functional hierarchy is validated from end to beginning. This validation occurs through running test cases.

Test cases are generated for each extracted subsystem to achieve MC/DC. For example, with renewed reference to FIG. 2B, a functional hierarchy of a feature 80 may comprise functional hierarchy 4.1; functional hierarchy 4.2; functional hierarchy 4.3; and functional hierarchy 4.4. Test 1 may include extracting functional hierarchy 4.2 to functional hierarchy 4.1 and generating a converge test case for 4.2. Test 2 may include extracting functional hierarchy 4.3 to functional hierarchy 4.1 and generating a converge test case for 4.3, Test 3 may include extracting functional hierarchy 4.4 to functional hierarchy 4.1 and generating a converge test case for 4.4, 4.3 and 4.2 is included for functional requirement checking but are not individually rechecked for functional hierarchy validating. Stated another way, previously validated modules may be “ignored” to increase speed of simulation. The results may be retained.

Non-targeted coverage test cases may be created. To achieve best possible MC/DC efficiency, this test case generation process may include, 4 test cases 1) Permutations of state variables, a) non-state variables=random; b) test case length=sample rate*number of permutations; 2) non-state variable=0, a) state variables=integer random (min max range), b) test case length=1 second (>=1 second may be used initially); 3) Non-state variables=min, a) state variables=Integer random (min max range), b) test case length=1 second (>=1 second may be used initially); 4) Non-state variable=max, a) state variables=Integer random (min max range), b) test case length=1 second (>=1 second may be used initially).

If timer logic exists in the specification, conditions to activate the timer and generate a permutation of test variables test case may be determined. For instance, for state variables, values are assigned, if needed, to activate timer logic, if not needed, random integers or permutations may be generated. For non-state variables, values are assigned, if needed, to activate timer logic, if not needed, random values may be generated. If the number of permutations in one test ease is prohibitive, permutation test cases can be separated into multiple test cases based on functional hierarchy module independence.

These generated test cases may be imported (435). These imported test cases may be run (440). The data from the executed program is captured and analyzed (445). This analyzing comprises verification of results and generation of a report. Functional requirements are checked (450). If any functional requirements are violated, the model is analyzed, fixed and the tests are re-run until no functional requirements are violated (455). If no functional requirements are violated, a determination that the MC/DC target has been achieved is evaluated (460, 465). If the MC/DC target has not been achieved and a designer cannot identify the missing MC/DC then the automatic test case generation tool may be used to de-bug the model (470). The automatic test case generation tool may be run as an additional check at any time. If the MC/DC target has not been achieved and a designer can identify the missing MC/DC, a new test case may be generated to identify the issue (480). If the MC/DC target has been achieved the feature 80 functional hierarchy is designated as validated (490).

With reference to FIG. 12, in response to the feature 80 functional hierarchy being validated, the whole feature 80 may be extracted for high level validation. Functional test cases may be created based on test conditions and/or based on software in the loop (SILS) (510), such as a Simulation-based Software Evaluation. These functional test cases may be selected and imported (520). These functional test cases may be run (530). The data is captured and analyzed. This analyzing comprises verification of results and generation of a report (540). If any functional requirements are violated, model errors are fixed and re-verified (545, 550). If functional requirements are not violated, a determination of all test conditions being evaluated is made (560). If yes, the feature 80 open loop validation is deemed complete, if no, the test case is re-run against additional test conditions (570).

With reference to FIG. 13, in response to the open loop feature 80 being validated, generally of all features 80 is preferred, the Application level 100 functional hierarchy may be extracted for validation (610). Functional test cases may be created based on test conditions and/or based on software in the loop (SILS) (615). These functional test cases may be selected and imported (620). These functional test cases may be run (630). The data is captured and analyzed. This analyzing comprises verification of results and generation of a report (640). If any functional requirements are violated, model errors are fixed, generally at the feature 80 level, and re-verified (650,655). If functional requirements are not violated, a determination of all test conditions being evaluated is made (660). If yes, the Application level 100 open loop validation is deemed complete, if no, the test case is re-run against additional test conditions (670).

With reference to FIG. 14, the previously discussed closed loop single ECU validation may occur next. The code, such as c-code, may be generated for the validated features 80 of the ECU (710). This generated c-code may be compiled within SILS (720). A single ECU validation model may be generated (730). A test condition may be selected and set from a plurality of test conditions (740). The test may be run and the results may be captured (750). The data may be analyzed. This analyzing may comprise verification of results and generation of a report (760). If any functional requirements are violated, model errors are fixed, generally at the feature 80 level, and re-verified (770, 775). If functional requirements are not violated, the model is deemed validated for the test condition (780).

With reference to FIG. 15, the previously discussed closed loop of multiple ECU validations may occur next. A multi-ECU validation model may be generated (810). A test condition may be selected and set from a plurality of test conditions (815). The test may be run and the results may be captured (820). The data may be analyzed (830). This analyzing may comprise verification of results and generation of a report. If any functional requirements are violated, model errors are fixed, generally at the feature 80 level, and re-verified (840, 845). If functional requirements are not violated, the model is deemed validated for the test condition (850).

Steps described for one embodiment of a validation system may additionally or alternatively be incorporated into any of the other embodiments. For example, the steps described pertaining to FIG. 3A, may be used in any other embodiments. Those of ordinary skill would also appreciate that the various illustrative logical blocks, modules, and algorithm steps described in connection with the examples disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the disclosed apparatus and methods. The hierarchical accumulative validation system and method disclosed herein utilizes hierarchical structure of the control specification and calculation flow of the control specification for validation.

The steps of a method described in connection with the examples disclosed herein have been disclosed as pertaining to the ECU 200; however, this method is applicable to any graphically based executable logic and/or hierarchical validation of graphically based executable logic control specifications. For instance, with reference to FIGS. 8 and 9, .mdl files and functional hierarchies at the Application level 100 and the Feature level 75 for any type of control specification are depicted.

Systems, methods and computer program products are provided. References to “various embodiments,” “one embodiment,” “an embodiment,” “an example embodiment,” etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described. After reading the description, it will be apparent to one skilled in the relevant art(s) how to implement the disclosure in alternative embodiments.

The steps of a method or algorithm described in connection with the examples disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an Application Specific Integrated Circuit (ASIC).

The system and method may be described herein in terms of functional block components, screen shots, optional selections and various processing steps. It should be appreciated that such functional blocks may be realized by any number of hardware and/or software components configured to perform the specified functions. For example, the system may employ various integrated circuit components, e.g., memory elements, processing elements, logic elements, look-up tables, and the like, which may carry out a variety of functions under the control of one or more microprocessors or other control devices. Similarly, the software elements of the system may be implemented with any programming or scripting language such as, VPL, C, C++, C#, Java, JavaScript, VBScript, Macromedia Cold Fusion, COBOL, Microsoft Active Server Pages, assembly, PERL. PHP, awk, Python, Visual Basic, SQL (structured Query Language) Stored Procedures, PL/SQL, any UNIX shell script, and extensible markup language (XML) with the various algorithms being implemented with any combination of data structures, objects, processes, routines or other programming elements. Further, it should be noted that the system may employ any number of conventional techniques for data transmission, signaling, data processing, network control, and the like.

As will be appreciated by one of ordinary skill in the art, the system may be embodied as a customization of an existing system, an add-on product, upgraded software, a stand alone system, a distributed system, a method, a data processing system, a device for data processing, and/or a computer program product. Furthermore, the system may take the form of a computer program product on a non-transitory computer-readable storage medium having computer-readable program code means embodied in the storage medium. Any suitable computer-readable storage medium may be utilized, including hard disks, CD-ROM, optical storage devices, magnetic storage devices, and/or the like.

Exemplary embodiments of the invention have been disclosed in an illustrative style. Accordingly, the terminology employed throughout should be read in a non-limiting manner. Although minor modifications to the teachings herein will occur to those well versed in the art, it shall be understood that what is intended to be circumscribed within the scope of the patent warranted hereon are all such embodiments that reasonably fall within the scope of the advancement to the art hereby contributed, and that that scope shall not be restricted, except in light of the appended claims and their equivalents. 

What is claimed is:
 1. A computer-based method for hierarchically validating a graphically based logic control specification including a plurality of ECU models, the method comprising: identifying, by a processor for hierarchically validating the graphically based logic control specification, a functional hierarchy of a first ECU model of the plurality of ECU models, the first ECU model including a plurality of applications being at a lower layer or level than the first ECU model, each of the plurality of applications including a plurality of features, each of the plurality of features being at a lower layer or level than each of the plurality of applications; performing, by the processor, an open of the plurality of features; performing, by the processor, an open loop validation of the plurality of applications in response to completing successful validation of the plurality of features; performing, by the processor, a closed loop validation of the first ECU model in response to completing successful validation of the plurality of applications; and performing, by the processor, a closed loop validation of the plurality of ECU models in response to completing successful validation of the first ECU model.
 2. The computer-based method of claim 1, further comprising releasing, by the processor, a validated control specification in response to successful validation of the plurality of ECU models.
 3. The computer-based method of claim 1, further comprising generating, by the processor, a validation test plan.
 4. The computer-based method of claim 1, further comprising ceasing external editing of the graphically based logic control specification during validation.
 5. The computer-based method of claim 1, further comprising certifying, by the processor, results of the validation of the graphically based logic control specification.
 6. The computer-based method of claim 1, further comprising validating the graphically based logic control specification to achieve best possible modified condition/decision coverage.
 7. The computer-based method of claim 1, further comprising utilizing a graphically based model slicing tool to extract targeted models selected based on functionality.
 8. The computer-based method of claim 7, further comprising retaining inputs and outputs of the models post extraction.
 9. The computer-based method of claim 1, further comprising validating an entire electronic control unit.
 10. The computer-based method of claim 9, wherein the electronic control unit is an electronic control unit of a vehicle.
 11. The computer-based method of claim 1, wherein a unique feature test case is developed to validate each unique functional requirement of the graphically based logic control specification.
 12. The computer-based method of claim 1, wherein the validation flows from module level to feature level to application level.
 13. The computer-based method of claim 1, further comprising subdividing a functional hierarchy based on computational constraints.
 14. The computer-based method of claim 1, wherein overlapping test case validation provides substantially exhaustive validation coverage.
 15. The computer-based method of claim 1, further comprising validating by starting at an end of the graphically based logic control specification and validating to a beginning of the graphically based logic control specification.
 16. The computer-based method of claim 1, wherein the computer-based method is used to validate the graphically based logic control specification to an International Organization for Standardization (ISO) specification.
 17. The computer-based method of claim 1, wherein elements of the graphically based logic control specification are rendered on a user interface.
 18. The computer-based method of claim 1, wherein the hierarchical structure of the control specification and calculation flow of the graphically based logic control specification are utilized to generate test cases for validation.
 19. A system comprising: a processor configured to hierarchically validate a graphically based logic control specification that includes a plurality of ECU models, a first ECU model of the plurality of ECU models including a plurality of applications, each of the plurality of applications being at a lower layer or level than the first ECU model and including a plurality of features, each of the plurality of features being at a lower layer or level than each of the plurality of applications, a tangible, non-transitory memory configured to communicate with the processor, the tangible, non-transitory memory having instructions stored thereon that, in response to execution by the processor, cause the processor to perform operations comprising: performing, by the processor, an open loop validation of the plurality of features; performing, by the processor, an open loop validation of the plurality of applications in response to completing successful validation of the plurality of features; performing, by the processor, a closed loop validation of the first ECU model in response to completing successful validation of the plurality of applications; and performing, by the processor, a closed loop validation of the plurality of ECU models in response to completing successful validation of the first ECU model.
 20. An article of manufacture including a non-transitory, tangible computer readable storage medium having instructions stored thereon that, in response to execution by a computer-based system configured to hierarchically validate a graphically based logic control specification that includes a plurality of ECU models, cause the computer-based system to perform operations comprising: identifying, by the computer-based system, a functional hierarchy of a first ECU model of the plurality of ECU models, the first ECU model including a plurality of applications, each of the plurality of applications being at a lower layer or level than the first ECU model and including a plurality of features, each of the plurality of features being at a lower layer or level than each of the plurality of applications; performing, by the computer-based system, an open loop validation of the plurality of features; performing, by the computer-based system, an open loop validation of the plurality of applications in response to completing successful validation of the plurality of features; performing, by the computer-based system, a closed loop validation of the first ECU model in response to completing successful validation of the plurality of applications; and performing, by the computer-based system, a closed loop validation of the plurality of ECU models in response to completing successful validation of the first ECU model. 